[Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches.

Hey there, I'm a wireshark core dev and kind of the unofficial point of contact for Ubuntu/Wireshark (along with Balint Reczey, who maintains the upstream Debian package).

As far as I know, Balint has been backporting the necessary CVE fixes into the wireshark packages for Debian stable. For precise, at least, moving from 1.6 to 1.12 is a huge change and perhaps unnecessary, when Debian stable-sec has a perfectly good 1.8.2-5wheezy13.

For trusty and utopic, updating to 1.12 seems the best way forward.

Please let me know if there's anything the Wireshark project can do to make this process easier for you in the future.

Evan

For what it's worth: Wireshark upstream releases regular micro-release, supporting each major version for at least two years. I have considered applying for an SRU MicroReleaseException [1] a couple of times in the past, but never had the time to really dig in and figure out all the requirements.

If somebody from the Ubuntu side would like to assist me with that I think that would be the best way to keep Ubuntu's Wireshark package secure going forward.

[1] https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions

Evan,

The idea I had, and the Security team seemed to suggest, was to make the update uniform - that is, the version across the releases would be identical, hence three debdiffs based on the same packaging in Vivid.

I'll leave it to the Security team to decide if they don't want to do this for Precise, and if they choose to use 1.8.2-* from wheezy's security repo for precise, that's fine by me, I'm happy to go grab the source from Debian and rebuild for Precise (and hoping that the builds won't Fail-To-Build) and then put the debdiff here for consideration (or update it in my PPA so they can grab it and pull it in).

Whichever happens is fine by me, I'm just a volunteer, and not a member of the security team, I just coordinate with them from time to time, and happened to volunteer to assist with this while poking the CVE tracker a bit.

After emailing with Evan, I believe there are a few things that are not as obvious that need to be looked at prior to this bug being processed.

A big major point to consider is that there are companies that have their own protocol plugins in Wireshark, and they are dependent on the API. It looks like the API changes somewhat rapidly, so from 1.6 to 1.12 there were several major API changes. Changing major versions will break the Wireshark API, and there will be major regressions on some applications (not in Ubuntu) as a result. (It seems the APIs have no reverse compatibility, which is the problem).

With regard to Precise being on the long-unsupported 1.6.x branch, moving from 1.6.x to 1.8.x introduces far less changes to the API, and for those third-party plugins the impact would be less work to get working again, with many needing just a recompile as the API changes were not substantial.

During the email with Evan, the suggestion from them was as follows, and I believe there may be merit in these solutions based on the Wireshark API problem:
(1) Precise should go to a supported Wireshark release, in this case 1.8.x, possibly based off of Debian's stable-sec which is maintained with security updates.
(2) Trusty should go to the latest 1.10.x release upstream, which fixes security issues there.
(3) Utopic is already 1.12.x and it is an unambiguous decision to move it up to the 1.12.1 packaging already in Vivid (which includes 1.12.2 security fixes)

I will investigate getting debdiffs into place for these three solutions. As such, Precise and Trusty debdiffs have been removed from the bug. The Utopic debdiff is still valid.

The PPA linked will be updated to remove the Trusty and Precise builds, until such time I have debdiffs for consideration based on the above solutions (1) and (2).

What third party plugins would that be? Do we ship any in the archive?

While I was ok with updating them to the latest version everywhere to simplify future maintenance, I am not ok with sponsoring updates to random versions.

The proper way to fix these packages is to backport the security fixes as per the usual procedure if updating to the latest version on a continuous basis isn't an option.

Marc:

That's an option, of course, and I'd be happy to start doing that, the issue is going to be with Precise being on an unsupported release for which fixes aren't backported into anymore (whereas in 1.10 for Trusty, there's already fix backports upstream, based on what I'm able to tell so far.

As for what plugins they are which are impacted by this, as far as Evan explained in email:

"The main reason is that wireshark is not just a userspace application
- it is also an API. A substantial number of companies have private
internal protocol plugins based on our API - changing major versions
at *all* will break that API and cause serious regressions for those
companies."

I don't think we ship the plugins, as it appears that it's the companies themselves that create their own.

Again, though, ultimate decisions on this fall to the Security team, whatever you or anyone else decide

Attaching the full content of the email from Evan to me, in response to my asking for details as to the main reason 1.8.x was suggested in Precise instead:

The main reason is that wireshark is not just a userspace application
- it is also an API. A substantial number of companies have private
internal protocol plugins based on our API - changing major versions
at *all* will break that API and cause serious regressions for those
companies.

For this reason, keeping Precise on the 1.6 branch would be the ideal
solution; unfortunately 1.6 has been unsupported by upstream for
nearly two years, so staying on the 1.6 branch securely would involve
jumping to the 1.6.16 upstream release, then manually backporting a
ton of CVE fixes. Moving to a secure 1.8-based branch is the next-best
thing. If I recall correctly the API changes between 1.6 and 1.8 are
very minor, and most plugins should work after simply being
recompiled.

For trusty (currently with version 1.10.6-1) I would actually
recommend moving to the upstream 1.10.11, which pulls in the latest
CVE fixes without breaking the API. Upstream 1.10 will be supported
until mid-2015 so pulling in upstream micro-releases will be
sufficient until then; after that point the choice will be between
doing additional work backporting CVE fixes or breaking the API by
moving to a still-supported release like 1.12.

For utopic (already on 1.12), moving to the latest upstream 1.12
release is the unambiguous choice.

This is the general shape of the problem: Ubuntu LTS releases are
supported for much longer (5 years) than Wireshark upstream supports
their releases (2 years). If Ubuntu wants to keep their Wireshark
package up-to-date with CVEs, they can either:
 - bump major versions and break the API
 - do the work of backporting CVE fixes themselves
 - ensure that Wireshark packages in LTS releases are based on
debian-stable versions since Balint (the Debian maintainer) already
does the work to pull in CVE fixes for those versions even when
they're unsupported

Hope this clarifies, please let me know if you have any other questions.
Evan

@Marc: With upgrading Wireshark to a next stable branch netexpect will FTBFS:
https://launchpad.net/ubuntu/+source/netexpect

I think Evan's proposal is the best so far.
I have fixed all important CVE-s in Debian.

Further discussion with mdeslaur on IRC and messages on https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1401314 from Evan have come up with a potential course of action, as follows: (Note the other bug there will be duped to this one).

(1) For Precise, we will work off of 1.6.16 as a base to fix 1.6.x targeted CVEs. Additional work will need to be done before that is accepted in Precise to specifically address whether all the later CVEs also affect 1.6.16, in which case they will need to be backported.
(2) For Trusty, we will work off of 1.10.11 as a base to fix all 1.10.x targeted CVEs. Additional work will need to be done before that is accepted in Trusty to specifically address whether all the later CVEs also affect 1.10.x, in which case they will need to be backported.
(3) For Utopic, we are going to take the 1.12.1 tarball from Vivid and use the Utopic packaging. We are also going to be nitpicking the patches from the Vivid packaging in 1.12.1+g01b65bf-2 which address CVEs which were fixed in 1.12.2.

For (1) and (2), this will be a somewhat longer process of poking at the version and identifying what other CVEs also need patching (and were perhaps ignored at the time of the CVE for 1.6.x as that was end-of-life).

For (3), I'll work on the packaging and get a debdiff available within a reasonable amount of time, my schedule permitting.

Utopic debdiff attached - set back to Confirmed and unassigned for Utopic.

Debdiff updated per Marc's request on IRC. Additional changes outlined in debian/changelog entry (some additional changes from Vivid were needed).

This bug was fixed in the package wireshark - 1.12.1+g01b65bf-2~ubuntu14.10.1

---------------
wireshark (1.12.1+g01b65bf-2~ubuntu14.10.1) utopic-security; urgency=medium

  * Security Update to Address Multiple CVEs (LP: #1397091)
  * Use tarball from Vivid package of wireshark (1.12.1+g01b65bf-2)
  * Additional new patches (from 1.12.2) in debian/patches/:
    * 17_1.12.2_fix_TN5250_loop.patch: Fix TN5250 infinite loops
      vulnerability (CVE-2014-8714)
    * 18_1.12.2_fix_NCP_crash_1.patch & 19_1.12.2_fix_NCP_crash_2.patch: Fix
      NCP dissector crashes (CVE-2014-8712, CVE-2014-8713)
    * 20_1.12.2_fix_SigComp_crash.patch: Fix SigComp UDVM buffer overflow
      vulnerability (CVE-2014-8710)
    * 21_1.12.2_fix_AMQP_crash.patch: Fix AMQP dissector crash (CVE-2014-8711)
  * Additional patches/changes kept from Vivid:
    * d/patches/0001-Set-library-.so-versions-to-their-proper-value.patch:
      Set library .so versions to their proper value.
    * d/libwsutil4.symbols: File kept from Vivid.
 -- Thomas Ward <email address hidden> Thu, 11 Dec 2014 15:26:28 -0500

Due to my schedule becoming a little more hectic, as well as some issues with my primary system, my work on this has stalled for the time being - as such, I'm unassigning myself from the Precise and Trusty tasks - the community is free to contribute to this, but i'll pick this up again as soon as my schedule settles a little.

The plan involving branching from versions in Ubuntu only like 1.6.x and 1.10.x would involve a lot of manpower which did not seem to be available in the last 2 years and unlikely to become available .

Fake-syncing the security changes from Debian is on the other hand needs only a little effort on Ubuntu's side. The only reverse dependency of wireshark is netexpect and it has been removed from post-vivid releases thus I would like to propose that path instead.

I'll prepare the packages in a PPA for testing.

For the record I already maintain a backport PPA of the latest stable Wireshark packages from Debian unstable/experimental to all supported Ubuntu releases:
https://launchpad.net/~wireshark-dev/+archive/ubuntu/stable/+packages

Those packages have the latest security fixes and are known to work well.

I have uploaded the proposed packages to https://launchpad.net/~rbalint/+archive/ubuntu/wireshark-sru/ for Trusty, Xenial, Yakkeyt and Zesty.
For Vivid please perform a fake sync from Debian jessie-security.

Hi Balint - Thanks for the updates. I happened to notice that these are security updates. Security updates that are to be sponsored should follow this process:

  https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors

I'll update the bug tasks and subscribe ubuntu-security-sponsors this time. In the future, I strongly encourage you to do these steps as the Ubuntu Security Team may not notice your contributions.

@ubuntu-security-sponsors I haven't looked at Balint's updates other than a quick glance at the changelog entry to verify that they were to fix security issues

This bug was fixed in the package wireshark - 2.2.6+g32dac6a-2ubuntu0.17.04

---------------
wireshark (2.2.6+g32dac6a-2ubuntu0.17.04) zesty; urgency=medium

  * Security Update to Address Multiple CVEs (LP: #1397091)

 -- Balint Reczey <email address hidden> Mon, 29 May 2017 20:11:04 +0200

This bug was fixed in the package wireshark - 1.12.1+g01b65bf-4+deb8u11ubuntu0.14.04.1

---------------
wireshark (1.12.1+g01b65bf-4+deb8u11ubuntu0.14.04.1) trusty; urgency=medium

  * Security Update to Address Multiple CVEs (LP: #1397091)
  * Use GnuTLS available in Trusty

 -- Balint Reczey <email address hidden> Mon, 29 May 2017 19:28:35 +0200

This bug was fixed in the package wireshark - 2.2.6+g32dac6a-2ubuntu0.16.04

---------------
wireshark (2.2.6+g32dac6a-2ubuntu0.16.04) xenial; urgency=medium

  * Security Update to Address Multiple CVEs (LP: #1397091)

 -- Balint Reczey <email address hidden> Mon, 29 May 2017 20:10:45 +0200

Thanks Balint!

This bug was fixed in the package wireshark - 2.2.6+g32dac6a-2ubuntu0.16.10

---------------
wireshark (2.2.6+g32dac6a-2ubuntu0.16.10) yakkety; urgency=medium

  * Security Update to Address Multiple CVEs (LP: #1397091)

 -- Balint Reczey <email address hidden> Mon, 29 May 2017 20:10:55 +0200